MDE_File_Sample_ae05c8740cf90e11c72b757ce58f3fa261c8dc5d[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

MDE_File_Sample_ae05c8740cf90e11c72b757ce58f3fa261c8dc5d.zip
Size

5.6MB
MD5

01ede71158ac2562c00f8e9fa5d91b89
SHA1

560be6c82e3a1569e8f2e31f043edab439dd917a
SHA256

56f023006663cc5eaa7ae0b38b779b288accb6838731db73f777f7e66f57491e
SHA512

96cb35d3add4f70fcf87ec26093b32b42f86ea8db79f9c638fcc965daf6fc47eeb32bbb422209b233c03cb084de6e8cdbaf642701d0eb88c5736f79f9109007e
SSDEEP

98304:ikpitJiZPvbzHtCwFyxDnp+GI95HO+jfkrzemN5uNYh9tSXX6mGWBwTqehgHvV:ikpitYZHfHtXorCuSfk7vSgSXqmh8oHN

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://asana.com/

Signatures

Unsigned PE 8 IoCs

Checks for missing Authenticode signature.

resource
unpack002/VFS/ProgramFilesX64/7z2404-extra/7za.dll
unpack002/VFS/ProgramFilesX64/7z2404-extra/7za.exe
unpack002/VFS/ProgramFilesX64/7z2404-extra/7zxa.dll
unpack002/VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipFar.dll
unpack002/VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipFar64.dll
unpack002/VFS/ProgramFilesX64/7z2404-extra/x64/7za.dll
unpack002/VFS/ProgramFilesX64/7z2404-extra/x64/7za.exe
unpack002/VFS/ProgramFilesX64/7z2404-extra/x64/7zxa.dll

Files

MDE_File_Sample_ae05c8740cf90e11c72b757ce58f3fa261c8dc5d.zip
.zip

Password: infected
$RAZHVL7.msix
.appx

Password: infected
AppxBlockMap.xml
.xml
AppxManifest.xml
AppxSignature.p7x
Assets/logo.png
.png

Password: infected
PsfLauncher32.exe
.exe windows:6 windows x86 arch:x86

Password: infected

7b63f97e8f0c360699c20e7c30842630

Code Sign

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/03/2023, 18:43

Not After

14/03/2024, 18:43

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

69:d0:13:a7:5c:5d:ae:aa:c3:29:0e:40:43:a3:04:13:6f:c5:dc:11:70:6e:61:98:2b:51:5d:b4:82:d0:23:0d
Signer

Actual PE Digest

69:d0:13:a7:5c:5d:ae:aa:c3:29:0e:40:43:a3:04:13:6f:c5:dc:11:70:6e:61:98:2b:51:5d:b4:82:d0:23:0d

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\a\1\s\Win32\Release\PsfLauncher32.pdb

Imports

kernel32

InitializeProcThreadAttributeList
WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
MultiByteToWideChar
Sleep
FormatMessageW
GetLastError
UpdateProcThreadAttribute
OutputDebugStringW
WaitForSingleObjectEx
QueryPerformanceFrequency
OpenSemaphoreW
CloseHandle
DeleteProcThreadAttributeList
HeapAlloc
OutputDebugStringA
GetProcAddress
CreateMutexExW
VerSetConditionMask
GetCurrentPackageFullName
GetCurrentProcessId
GetProcessHeap
CreateProcessW
GetModuleHandleW
VerifyVersionInfoW
DebugBreak
QueryPerformanceCounter
IsDebuggerPresent
GetExitCodeProcess
HeapSize
GetConsoleMode
GetCurrentApplicationUserModelId
ExpandEnvironmentStringsW
GetModuleHandleExW
ReleaseSemaphore
SetLastError
HeapFree
CreateSemaphoreExW
GetCurrentPackageFamilyName
GetModuleFileNameA
GetConsoleOutputCP
FlushFileBuffers
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
HeapReAlloc
LocalFree
FormatMessageA
GetStringTypeW
CreateFileW
FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
SetFilePointerEx
AreFileApisANSI
GetFileInformationByHandleEx
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
LCMapStringEx
GetSystemTimeAsFileTime
GetCPInfo
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
InitializeSListHead
RtlUnwind
RaiseException
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
CreateThread
ExitThread
FreeLibraryAndExitThread
ExitProcess
GetModuleFileNameW
GetStdHandle
WriteFile
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType
WriteConsoleW

user32

WaitForInputIdle
MessageBoxExW

advapi32

RegDeleteKeyExW
EventWriteTransfer
EventRegister
RegCreateKeyExW
EventSetInformation
EventUnregister
RegQueryValueExW
RegCloseKey

shell32

ShellExecuteExW
SHGetKnownFolderPath

ole32

CoTaskMemFree
CoInitializeEx

psfruntime32

_PSFQueryAppMonitorConfig@0
_PSFQueryConfigRoot@0
_PSFQueryCurrentAppLaunchConfig@4
_PSFReportError@4
_PSFQueryPackageRootPath@0
_PSFQueryStartScriptInfo@0
_PSFQueryEndScriptInfo@0
_PSFQueryExeConfig@4

Sections

.text
Size: 207KB - Virtual size: 207KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
PsfLauncher64.exe
.exe windows:6 windows x64 arch:x64

Password: infected

8e9b7caff9376bbdc8b416a414b64656

Code Sign

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/03/2023, 18:43

Not After

14/03/2024, 18:43

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

2a:cd:2b:db:ff:a7:68:4f:c2:5f:f0:a2:a0:60:28:15:f6:47:23:6c:9f:05:81:18:52:9c:1e:da:d3:52:e0:28
Signer

Actual PE Digest

2a:cd:2b:db:ff:a7:68:4f:c2:5f:f0:a2:a0:60:28:15:f6:47:23:6c:9f:05:81:18:52:9c:1e:da:d3:52:e0:28

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\1\s\x64\Release\PsfLauncher64.pdb

Imports

kernel32

InitializeProcThreadAttributeList
WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
MultiByteToWideChar
Sleep
FormatMessageW
GetLastError
UpdateProcThreadAttribute
OutputDebugStringW
WaitForSingleObjectEx
QueryPerformanceFrequency
OpenSemaphoreW
CloseHandle
DeleteProcThreadAttributeList
HeapAlloc
OutputDebugStringA
GetProcAddress
CreateMutexExW
VerSetConditionMask
GetCurrentPackageFullName
GetCurrentProcessId
GetProcessHeap
CreateProcessW
GetModuleHandleW
VerifyVersionInfoW
DebugBreak
QueryPerformanceCounter
IsDebuggerPresent
GetExitCodeProcess
WriteConsoleW
HeapSize
GetCurrentApplicationUserModelId
ExpandEnvironmentStringsW
GetModuleHandleExW
ReleaseSemaphore
SetLastError
HeapFree
CreateSemaphoreExW
GetCurrentPackageFamilyName
GetModuleFileNameA
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
HeapReAlloc
LocalFree
FormatMessageA
GetStringTypeW
CreateFileW
FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
SetFilePointerEx
AreFileApisANSI
GetFileInformationByHandleEx
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
LCMapStringEx
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetSystemTimeAsFileTime
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
InitializeSListHead
RtlUnwindEx
RtlPcToFileHeader
RaiseException
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
CreateThread
ExitThread
FreeLibraryAndExitThread
ExitProcess
GetModuleFileNameW
GetStdHandle
WriteFile
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType

user32

WaitForInputIdle
MessageBoxExW

advapi32

RegDeleteKeyExW
EventWriteTransfer
EventRegister
RegCreateKeyExW
EventSetInformation
EventUnregister
RegQueryValueExW
RegCloseKey

shell32

ShellExecuteExW
SHGetKnownFolderPath

ole32

CoTaskMemFree
CoInitializeEx

psfruntime64

PSFQueryAppMonitorConfig
PSFQueryConfigRoot
PSFQueryCurrentAppLaunchConfig
PSFReportError
PSFQueryPackageRootPath
PSFQueryStartScriptInfo
PSFQueryEndScriptInfo
PSFQueryExeConfig

Sections

.text
Size: 242KB - Virtual size: 242KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 94KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
PsfRunDll32.exe
.exe windows:6 windows x86 arch:x86

Password: infected

b1a931f51b30b56b60ecdb5d25bf3458

Code Sign

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/03/2023, 18:43

Not After

14/03/2024, 18:43

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

27:7e:36:6a:87:38:f0:2d:f9:50:ec:7d:2e:ce:46:5c:7b:f6:e0:42:cf:ba:4c:97:d2:a9:53:57:4a:67:a3:d7
Signer

Actual PE Digest

27:7e:36:6a:87:38:f0:2d:f9:50:ec:7d:2e:ce:46:5c:7b:f6:e0:42:cf:ba:4c:97:d2:a9:53:57:4a:67:a3:d7

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\a\1\s\Win32\Release\PsfRunDll32.pdb

Imports

kernel32

GetLastError
LoadLibraryA
GetProcAddress
WriteConsoleW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwind
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
EncodePointer
RaiseException
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
GetStringTypeW
LCMapStringW
GetProcessHeap
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
SetFilePointerEx
CreateFileW
CloseHandle
DecodePointer

Sections

.text
Size: 51KB - Virtual size: 50KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
PsfRunDll64.exe
.exe windows:6 windows x64 arch:x64

Password: infected

0e5c9a29fdcee2791341cd303678be64

Code Sign

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/03/2023, 18:43

Not After

14/03/2024, 18:43

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

cb:df:4d:bb:88:21:a0:92:0e:ed:70:53:11:a3:0f:3a:6c:39:80:c1:ce:0d:af:38:4e:b7:e3:f9:e3:b8:97:cd
Signer

Actual PE Digest

cb:df:4d:bb:88:21:a0:92:0e:ed:70:53:11:a3:0f:3a:6c:39:80:c1:ce:0d:af:38:4e:b7:e3:f9:e3:b8:97:cd

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\1\s\x64\Release\PsfRunDll64.pdb

Imports

kernel32

GetLastError
LoadLibraryA
GetProcAddress
WriteConsoleW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
EncodePointer
RaiseException
RtlPcToFileHeader
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
GetStringTypeW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
LCMapStringW
GetProcessHeap
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
SetFilePointerEx
CreateFileW
CloseHandle

Sections

.text
Size: 56KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
PsfRuntime32.dll
.dll windows:6 windows x86 arch:x86

Password: infected

f229992937d1d790b50a1cb368509a49

Code Sign

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/03/2023, 18:43

Not After

14/03/2024, 18:43

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

89:87:ff:46:cb:36:89:89:f5:08:c5:c9:86:65:9d:76:b5:64:22:07:4f:0f:05:e1:8a:e4:9d:b7:ac:77:5f:e7
Signer

Actual PE Digest

89:87:ff:46:cb:36:89:89:f5:08:c5:c9:86:65:9d:76:b5:64:22:07:4f:0f:05:e1:8a:e4:9d:b7:ac:77:5f:e7

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\a\1\s\Win32\Release\PsfRuntime32.pdb

Imports

kernel32

GetFinalPathNameByHandleW
GetModuleFileNameW
CreateFileW
GetCurrentThreadId
GetCurrentPackagePath
MultiByteToWideChar
GetLastError
OutputDebugStringW
CloseHandle
HeapAlloc
GetCurrentPackageFamilyName
GetProcAddress
GetCurrentPackageFullName
GetProcessHeap
GetModuleHandleW
OutputDebugStringA
DebugBreak
LoadLibraryExW
IsDebuggerPresent
SetLastError
TerminateProcess
GetFileAttributesW
ResumeThread
GetFileAttributesA
CreateProcessW
QueryFullProcessImageNameW
CreateProcessA
GetCurrentThread
LoadLibraryW
FreeLibrary
HeapSize
GetConsoleOutputCP
GetCurrentApplicationUserModelId
GetModuleHandleExW
HeapFree
WideCharToMultiByte
WriteFile
FlushFileBuffers
SetStdHandle
VirtualProtect
VirtualFree
GetCurrentProcess
VirtualAlloc
SuspendThread
VirtualProtectEx
GetThreadContext
FlushInstructionCache
SetThreadContext
VirtualQuery
VirtualQueryEx
WriteProcessMemory
GetEnvironmentVariableW
WaitForSingleObject
OpenProcess
VirtualAllocEx
ExitProcess
ReadProcessMemory
IsWow64Process
GetExitCodeProcess
LocalFree
FormatMessageA
GetStringTypeW
FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
SetEndOfFile
SetFilePointerEx
AreFileApisANSI
GetFileInformationByHandleEx
CompareStringEx
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
LCMapStringEx
GetCPInfo
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
RtlUnwind
RaiseException
InterlockedFlushSList
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
HeapReAlloc
GetStdHandle
GetFileType
ReadFile
GetConsoleMode
ReadConsoleW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW

user32

MessageBoxW

advapi32

EventSetInformation
EventUnregister
EventWriteTransfer
EventRegister

shell32

SHGetKnownFolderPath

ole32

CoTaskMemFree

Exports

Exports

?PSFQueryPackageFamilyName@@YGPB_WXZ
DetourFinishHelperProcess
_PSFQueryAppLaunchConfig@8
_PSFQueryAppMonitorConfig@0
_PSFQueryApplicationId@0
_PSFQueryApplicationUserModelId@0
_PSFQueryConfig@8
_PSFQueryConfigRoot@0
_PSFQueryCurrentAppLaunchConfig@4
_PSFQueryCurrentExeConfig@0
_PSFQueryDllConfig@4
_PSFQueryEndScriptInfo@0
_PSFQueryExeConfig@4
_PSFQueryFinalPackageRootPath@0
_PSFQueryPackageFullName@0
_PSFQueryPackageRootPath@0
_PSFQueryStartScriptInfo@0
_PSFRegister@8
_PSFReportError@4
_PSFUnregister@8

Sections

.text
Size: 254KB - Virtual size: 254KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 77KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

psf
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
PsfRuntime64.dll
.dll windows:6 windows x64 arch:x64

Password: infected

de350c6095b02fd305afdbe337b14afd

Code Sign

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/03/2023, 18:43

Not After

14/03/2024, 18:43

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d2:15:c1:18:dd:d2:e4:0f:e9:3c:98:fe:7d:bd:b3:e7:65:c6:9c:82:be:d6:03:16:20:98:4d:f6:56:3a:d1:f2
Signer

Actual PE Digest

d2:15:c1:18:dd:d2:e4:0f:e9:3c:98:fe:7d:bd:b3:e7:65:c6:9c:82:be:d6:03:16:20:98:4d:f6:56:3a:d1:f2

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\a\1\s\x64\Release\PsfRuntime64.pdb

Imports

kernel32

GetFinalPathNameByHandleW
GetModuleFileNameW
CreateFileW
GetCurrentThreadId
GetCurrentPackagePath
MultiByteToWideChar
GetLastError
OutputDebugStringW
CloseHandle
HeapAlloc
GetCurrentPackageFamilyName
GetProcAddress
GetCurrentPackageFullName
GetProcessHeap
GetModuleHandleW
OutputDebugStringA
DebugBreak
LoadLibraryExW
IsDebuggerPresent
SetLastError
TerminateProcess
GetFileAttributesW
ResumeThread
GetFileAttributesA
CreateProcessW
QueryFullProcessImageNameW
CreateProcessA
GetCurrentThread
LoadLibraryW
FreeLibrary
WriteConsoleW
HeapSize
GetCurrentApplicationUserModelId
GetModuleHandleExW
HeapFree
WideCharToMultiByte
GetConsoleOutputCP
WriteFile
FlushFileBuffers
SetStdHandle
VirtualProtect
VirtualFree
GetCurrentProcess
VirtualAlloc
SuspendThread
VirtualProtectEx
GetThreadContext
FlushInstructionCache
SetThreadContext
VirtualQuery
VirtualQueryEx
WriteProcessMemory
GetEnvironmentVariableW
WaitForSingleObject
OpenProcess
VirtualAllocEx
ExitProcess
ReadProcessMemory
IsWow64Process
GetExitCodeProcess
LocalFree
FormatMessageA
GetStringTypeW
FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
SetEndOfFile
SetFilePointerEx
AreFileApisANSI
GetFileInformationByHandleEx
CompareStringEx
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
LCMapStringEx
GetCPInfo
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
RtlUnwindEx
RtlPcToFileHeader
RaiseException
InterlockedFlushSList
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
HeapReAlloc
GetStdHandle
GetFileType
ReadFile
GetConsoleMode
ReadConsoleW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW

user32

MessageBoxW

advapi32

EventSetInformation
EventUnregister
EventWriteTransfer
EventRegister

shell32

SHGetKnownFolderPath

ole32

CoTaskMemFree

Exports

Exports

?PSFQueryPackageFamilyName@@YAPEB_WXZ
DetourFinishHelperProcess
PSFQueryAppLaunchConfig
PSFQueryAppMonitorConfig
PSFQueryApplicationId
PSFQueryApplicationUserModelId
PSFQueryConfig
PSFQueryConfigRoot
PSFQueryCurrentAppLaunchConfig
PSFQueryCurrentExeConfig
PSFQueryDllConfig
PSFQueryEndScriptInfo
PSFQueryExeConfig
PSFQueryFinalPackageRootPath
PSFQueryPackageFullName
PSFQueryPackageRootPath
PSFQueryStartScriptInfo
PSFRegister
PSFReportError
PSFUnregister

Sections

.text
Size: 310KB - Virtual size: 309KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 108KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

psf
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Registry.dat
Resources.pri
StartingScriptWrapper.ps1
.ps1
User.dat
VFS/ProgramFilesX64/7z2404-extra/7za.dll
.dll windows:4 windows x86 arch:x86

edb01ced967d1545f46e4d8d004d088e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

oleaut32

SysAllocStringByteLen
SysAllocStringLen
SysAllocString
SysFreeString
SysStringLen
VariantCopy
VariantClear

user32

CharUpperW

msvcrt

_adjust_fdiv
_initterm
_onexit
__dllonexit
?terminate@@YAXXZ
??1type_info@@UAE@XZ
_except_handler3
_beginthreadex
realloc
memset
strlen
wcscmp
memcpy
memmove
free
_CxxThrowException
malloc
memcmp
_purecall
__CxxFrameHandler

kernel32

GetTempPathW
InitializeCriticalSection
ReleaseSemaphore
CreateSemaphoreW
ResetEvent
SetEvent
CreateEventW
SetThreadAffinityMask
ResumeThread
WaitForSingleObject
InterlockedIncrement
GetVersion
IsProcessorFeaturePresent
GetModuleHandleW
VirtualFree
VirtualAlloc
LoadLibraryW
FreeLibrary
QueryPerformanceCounter
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetVersionExW
GlobalMemoryStatus
GetSystemInfo
GetCurrentProcess
GetProcessAffinityMask
WriteFile
ReadFile
GetLastError
CloseHandle
SetFileTime
CreateFileW
SetFileAttributesW
CreateDirectoryW
DeleteFileW
SetLastError
GetCurrentDirectoryW
GetCurrentProcessId
GetTickCount
GetCurrentThreadId
GetFileInformationByHandle
FindClose
FindFirstFileW
GetProcAddress
GetModuleHandleA
GetFileAttributesW

Exports

Exports

CreateDecoder
CreateEncoder
CreateObject
GetHandlerProperty
GetHandlerProperty2
GetHashers
GetIsArc
GetMethodProperty
GetModuleProp
GetNumberOfFormats
GetNumberOfMethods
SetCaseSensitive
SetCodecs
SetLargePageMode

Sections

.text
Size: 241KB - Virtual size: 241KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.sxdata
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
VFS/ProgramFilesX64/7z2404-extra/7za.exe
.exe windows:4 windows x86 arch:x86

6f18dc28cf1faef40cedf506a5685aac

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

oleaut32

VariantCopy
SysAllocStringLen
SysAllocString
SysFreeString
SysStringLen
VariantClear

user32

CharPrevExA
CharUpperW

advapi32

OpenProcessToken
GetFileSecurityW
SetFileSecurityW
RegQueryValueExW
RegCloseKey
RegOpenKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueW

msvcrt

_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
__p___initenv
exit
_XcptFilter
_exit
_onexit
__dllonexit
??1type_info@@UAE@XZ
?terminate@@YAXXZ
_except_handler3
_beginthreadex
realloc
_ftol
memset
strlen
wcscmp
wcsstr
strcmp
memmove
fputs
fputc
fflush
fgetc
_iob
free
malloc
memcmp
_purecall
memcpy
_CxxThrowException
__CxxFrameHandler
_isatty
_fileno

kernel32

SetThreadAffinityMask
CreateEventW
SetEvent
ResetEvent
CreateSemaphoreW
ReleaseSemaphore
InitializeCriticalSection
WaitForSingleObject
CreateHardLinkW
InterlockedIncrement
GetVersion
VirtualFree
VirtualAlloc
GetOEMCP
LocalFileTimeToFileTime
SetConsoleMode
GetConsoleMode
GetVersionExW
SetFileApisToOEM
GetCommandLineW
GetConsoleScreenBufferInfo
SetConsoleCtrlHandler
DeleteCriticalSection
QueryPerformanceFrequency
QueryPerformanceCounter
GetProcessTimes
OpenEventW
OpenFileMappingW
MapViewOfFile
UnmapViewOfFile
SetProcessAffinityMask
WaitForMultipleObjects
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
FileTimeToDosDateTime
DosDateTimeToFileTime
IsProcessorFeaturePresent
GlobalMemoryStatus
GetSystemInfo
GetProcessAffinityMask
FileTimeToLocalFileTime
FileTimeToSystemTime
CompareFileTime
GetModuleHandleW
GetCurrentProcess
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetLastError
MultiByteToWideChar
WideCharToMultiByte
FreeLibrary
LoadLibraryW
GetModuleFileNameW
LocalFree
FormatMessageW
CloseHandle
SetFileTime
CreateFileW
SetFileAttributesW
RemoveDirectoryW
MoveFileW
CreateDirectoryW
DeleteFileW
SetLastError
SetCurrentDirectoryW
GetCurrentDirectoryW
GetTempPathW
GetCurrentProcessId
GetTickCount
GetCurrentThreadId
GetFileInformationByHandle
GetStdHandle
FindClose
FindFirstFileW
FindNextFileW
GetProcAddress
GetModuleHandleA
GetFileAttributesW
GetLogicalDriveStringsW
GetFileSize
SetFilePointer
DeviceIoControl
ReadFile
WriteFile
SetEndOfFile
ResumeThread

Sections

.text
Size: 701KB - Virtual size: 701KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 90KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.sxdata
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
VFS/ProgramFilesX64/7z2404-extra/7zxa.dll
.dll windows:4 windows x86 arch:x86

cd3731e16c560eee547e3c651dae4f7f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

oleaut32

SysAllocStringByteLen
SysAllocStringLen
SysFreeString
SysStringLen
VariantClear

msvcrt

__dllonexit
_onexit
_initterm
_adjust_fdiv
?terminate@@YAXXZ
??1type_info@@UAE@XZ
_beginthreadex
memset
strlen
free
malloc
_CxxThrowException
memcpy
memmove
memcmp
_purecall
__CxxFrameHandler
_except_handler3

kernel32

InitializeCriticalSection
ReleaseSemaphore
CreateSemaphoreW
ResetEvent
SetEvent
CreateEventW
WaitForSingleObject
CloseHandle
IsProcessorFeaturePresent
GetModuleHandleW
VirtualFree
VirtualAlloc
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetVersionExW
GetModuleHandleA
GetProcAddress
GlobalMemoryStatus
GetSystemInfo
GetCurrentProcess
GetProcessAffinityMask
GetVersion
GetLastError

Exports

Exports

CreateDecoder
CreateEncoder
CreateObject
GetHandlerProperty
GetHandlerProperty2
GetHashers
GetIsArc
GetMethodProperty
GetModuleProp
GetNumberOfFormats
GetNumberOfMethods
SetCaseSensitive
SetCodecs
SetLargePageMode

Sections

.text
Size: 128KB - Virtual size: 128KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.sxdata
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipEng.hlf
VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipEng.lng
VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipFar.dll
.dll windows:4 windows x86 arch:x86

ea76c211bceaa0b3e988007ef472c487

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

oleaut32

VariantCopy
SysFreeString
SysStringLen
SysAllocStringLen
SysStringByteLen
SysAllocString
VariantClear

user32

CharUpperW

advapi32

RegOpenKeyExW
GetFileSecurityW
SetFileSecurityW
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
RegQueryValueExW
RegSetValueExW
RegDeleteValueW
RegEnumKeyExW
RegDeleteKeyW
RegCloseKey
RegCreateKeyExW

msvcrt

_adjust_fdiv
_initterm
?terminate@@YAXXZ
??1type_info@@UAE@XZ
_onexit
__dllonexit
_except_handler3
wcsstr
strstr
free
malloc
memmove
strlen
memset
wcscmp
strcmp
memcmp
_purecall
memcpy
_CxxThrowException
__CxxFrameHandler

kernel32

InitializeCriticalSection
GetModuleFileNameW
VirtualFree
VirtualAlloc
GetSystemTimeAsFileTime
FileTimeToDosDateTime
GetCurrentProcess
lstrlenW
FileTimeToLocalFileTime
FileTimeToSystemTime
CompareFileTime
GetDriveTypeW
DeviceIoControl
SetEndOfFile
WriteFile
ReadFile
SetFilePointer
GetFileSize
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetLastError
ReadConsoleInputW
GetNumberOfConsoleInputEvents
GetStdHandle
GetVersionExW
GetTickCount
AreFileApisANSI
MultiByteToWideChar
WideCharToMultiByte
FreeLibrary
LoadLibraryExW
LoadLibraryW
LocalFree
FormatMessageW
CloseHandle
SetFileTime
CreateFileW
SetFileAttributesW
RemoveDirectoryW
MoveFileW
CreateHardLinkW
CreateDirectoryW
DeleteFileW
SetLastError
GetCurrentDirectoryW
GetTempPathW
GetCurrentProcessId
GetCurrentThreadId
GetFileInformationByHandle
FindClose
FindFirstFileW
FindNextFileW
GetProcAddress
GetModuleHandleA
GetFileAttributesW

Exports

Exports

ClosePlugin
Configure
DeleteFiles
ExitFAR
FreeFindData
GetFiles
GetFindData
GetOpenPluginInfo
GetPluginInfo
OpenFilePlugin
OpenPlugin
ProcessKey
PutFiles
SetDirectory
SetStartupInfo

Sections

.text
Size: 214KB - Virtual size: 214KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.sxdata
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 840B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipFar64.dll
.dll windows:4 windows x64 arch:x64

de297ca23880e1543f5c5121dfbab235

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

oleaut32

SysAllocString
SysStringLen
SysAllocStringLen
VariantClear
VariantCopy
SysStringByteLen
SysFreeString

user32

CharUpperW

advapi32

RegDeleteKeyW
GetFileSecurityW
SetFileSecurityW
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken
RegEnumKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegQueryValueExW
RegSetValueExW
RegDeleteValueW
RegCloseKey

msvcrt

free
malloc
strlen
memset
memmove
strstr
strcmp
memcmp
_CxxThrowException
memcpy
__CxxFrameHandler
wcsstr
__C_specific_handler
__dllonexit
_onexit
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
_initterm
wcscmp

kernel32

InitializeCriticalSection
Sleep
FormatMessageW
VirtualFree
VirtualAlloc
GetProcAddress
GetSystemTimeAsFileTime
FileTimeToDosDateTime
GetCurrentProcess
lstrlenW
FileTimeToLocalFileTime
FileTimeToSystemTime
CompareFileTime
GetDriveTypeW
DeviceIoControl
SetEndOfFile
WriteFile
ReadFile
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
ReadConsoleInputW
GetNumberOfConsoleInputEvents
GetStdHandle
GetLastError
GetTickCount
AreFileApisANSI
MultiByteToWideChar
WideCharToMultiByte
FreeLibrary
LoadLibraryExW
LoadLibraryW
GetModuleFileNameW
LocalFree
CloseHandle
SetFileTime
CreateFileW
SetFileAttributesW
RemoveDirectoryW
MoveFileW
CreateHardLinkW
CreateDirectoryW
DeleteFileW
GetCurrentDirectoryW
GetTempPathW
SetLastError
GetCurrentProcessId
GetCurrentThreadId
GetFileInformationByHandle
FindClose
FindFirstFileW
FindNextFileW
FindFirstStreamW
FindNextStreamW
GetFileAttributesW
GetFileSize
SetFilePointer

Exports

Exports

ClosePlugin
Configure
DeleteFiles
ExitFAR
FreeFindData
GetFiles
GetFindData
GetOpenPluginInfo
GetPluginInfo
OpenFilePlugin
OpenPlugin
ProcessKey
PutFiles
SetDirectory
SetStartupInfo

Sections

.text
Size: 315KB - Virtual size: 314KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 110KB - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 27KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 840B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipRus.hlf
VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipRus.lng
VFS/ProgramFilesX64/7z2404-extra/Far/7zToFar.ini
VFS/ProgramFilesX64/7z2404-extra/Far/far7z.reg
VFS/ProgramFilesX64/7z2404-extra/Far/far7z.txt
VFS/ProgramFilesX64/7z2404-extra/License.txt
VFS/ProgramFilesX64/7z2404-extra/arm64/7-ZipFar.dll
VFS/ProgramFilesX64/7z2404-extra/arm64/7za.dll
VFS/ProgramFilesX64/7z2404-extra/arm64/7za.exe
VFS/ProgramFilesX64/7z2404-extra/arm64/7zxa.dll
VFS/ProgramFilesX64/7z2404-extra/history.txt
VFS/ProgramFilesX64/7z2404-extra/readme.txt
VFS/ProgramFilesX64/7z2404-extra/x64/7za.dll
.dll windows:4 windows x64 arch:x64

18bc3b4099180bc67dd68352a0d42b48

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

oleaut32

SysStringLen
VariantClear
VariantCopy
SysAllocString
SysAllocStringByteLen
SysFreeString
SysAllocStringLen

user32

CharUpperW

advapi32

SystemFunction036

msvcrt

memset
strlen
__CxxFrameHandler
wcscmp
_purecall
memmove
memcpy
free
_CxxThrowException
malloc
memcmp
realloc
__C_specific_handler
_beginthreadex
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
__dllonexit
_onexit
_initterm

kernel32

InitializeCriticalSection
ReleaseSemaphore
CreateSemaphoreW
ResetEvent
Sleep
CreateEventW
SetThreadAffinityMask
ResumeThread
WaitForSingleObject
SetEvent
IsProcessorFeaturePresent
GetLargePageMinimum
VirtualFree
VirtualAlloc
QueryPerformanceCounter
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
GlobalMemoryStatusEx
GetSystemInfo
GetCurrentProcess
GetProcessAffinityMask
WriteFile
ReadFile
GetLastError
CloseHandle
SetFileTime
CreateFileW
SetFileAttributesW
CreateDirectoryW
DeleteFileW
GetCurrentDirectoryW
GetTempPathW
SetLastError
GetCurrentProcessId
GetTickCount
GetCurrentThreadId
GetFileInformationByHandle
FindClose
FindFirstFileW
FindFirstStreamW
FindNextStreamW
GetFileAttributesW

Exports

Exports

CreateDecoder
CreateEncoder
CreateObject
GetHandlerProperty
GetHandlerProperty2
GetHashers
GetIsArc
GetMethodProperty
GetModuleProp
GetNumberOfFormats
GetNumberOfMethods
SetCaseSensitive
SetCodecs
SetLargePageMode

Sections

.text
Size: 306KB - Virtual size: 306KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 66KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
VFS/ProgramFilesX64/7z2404-extra/x64/7za.exe
.exe windows:4 windows x64 arch:x64

8122af7382bf626d4b6d8f35f0d8143e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

oleaut32

SysStringLen
VariantClear
VariantCopy
SysAllocString
SysFreeString
SysAllocStringLen

user32

CharUpperW
CharPrevExA

advapi32

OpenProcessToken
SystemFunction036
GetFileSecurityW
SetFileSecurityW
RegOpenKeyExW
RegQueryValueExW
AdjustTokenPrivileges
LookupPrivilegeValueW
RegCloseKey

msvcrt

_exit
_c_exit
_XcptFilter
_onexit
__dllonexit
?terminate@@YAXXZ
??1type_info@@UEAA@XZ
__C_specific_handler
_beginthreadex
realloc
_purecall
_isatty
memset
strlen
_cexit
wcscmp
strcmp
memmove
fflush
fputc
fputs
_iob
fgetc
free
malloc
memcmp
__CxxFrameHandler
_CxxThrowException
memcpy
exit
__getmainargs
__initenv
_initterm
__setusermatherr
_commode
_fmode
__set_app_type
wcsstr

kernel32

ResumeThread
SetThreadAffinityMask
CreateEventW
SetEvent
ResetEvent
CreateSemaphoreW
ReleaseSemaphore
InitializeCriticalSection
GetVersion
RemoveDirectoryW
WaitForSingleObject
GetLargePageMinimum
VirtualFree
VirtualAlloc
GetOEMCP
LocalFileTimeToFileTime
GetConsoleMode
SetConsoleMode
SetFileApisToOEM
GetCommandLineW
GetConsoleScreenBufferInfo
SetConsoleCtrlHandler
GetProcessTimes
QueryPerformanceFrequency
QueryPerformanceCounter
DeleteCriticalSection
SetProcessAffinityMask
OpenEventW
UnmapViewOfFile
MapViewOfFile
OpenFileMappingW
WaitForMultipleObjects
LeaveCriticalSection
EnterCriticalSection
GetSystemTimeAsFileTime
FileTimeToDosDateTime
DosDateTimeToFileTime
IsProcessorFeaturePresent
GlobalMemoryStatusEx
GetSystemInfo
GetProcessAffinityMask
FileTimeToLocalFileTime
FileTimeToSystemTime
CompareFileTime
GetModuleHandleW
GetProcAddress
GetCurrentProcess
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetLastError
MultiByteToWideChar
WideCharToMultiByte
FreeLibrary
LoadLibraryW
GetModuleFileNameW
LocalFree
FormatMessageW
CloseHandle
SetFileTime
CreateFileW
SetFileAttributesW
MoveFileW
CreateHardLinkW
CreateDirectoryW
DeleteFileW
SetCurrentDirectoryW
GetCurrentDirectoryW
GetTempPathW
SetLastError
GetCurrentProcessId
GetTickCount
GetCurrentThreadId
GetFileInformationByHandle
GetStdHandle
FindClose
FindFirstFileW
FindNextFileW
FindFirstStreamW
FindNextStreamW
GetFileAttributesW
GetLogicalDriveStringsW
DeviceIoControl
GetFileSize
SetFilePointer
ReadFile
WriteFile
SetEndOfFile

Sections

.text
Size: 955KB - Virtual size: 954KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 257KB - Virtual size: 256KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 63KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
VFS/ProgramFilesX64/7z2404-extra/x64/7zxa.dll
.dll windows:4 windows x64 arch:x64

1353ce6b26348ac6f792fe77a59eff9d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

oleaut32

SysFreeString
SysAllocStringByteLen
SysStringLen
VariantClear
SysAllocStringLen

msvcrt

__dllonexit
?terminate@@YAXXZ
??1type_info@@UEAA@XZ
__C_specific_handler
_beginthreadex
_purecall
memset
strlen
_initterm
malloc
__CxxFrameHandler
_CxxThrowException
memmove
memcpy
memcmp
free
_onexit

kernel32

GetProcessAffinityMask
GetCurrentProcess
GetSystemInfo
GlobalMemoryStatusEx
Sleep
InitializeCriticalSection
ReleaseSemaphore
CreateSemaphoreW
ResetEvent
SetEvent
CreateEventW
WaitForSingleObject
CloseHandle
IsProcessorFeaturePresent
GetLargePageMinimum
VirtualFree
VirtualAlloc
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
GetLastError

Exports

Exports

CreateDecoder
CreateEncoder
CreateObject
GetHandlerProperty
GetHandlerProperty2
GetHashers
GetIsArc
GetMethodProperty
GetModuleProp
GetNumberOfFormats
GetNumberOfMethods
SetCaseSensitive
SetCodecs
SetLargePageMode

Sections

.text
Size: 156KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
VFS/ProgramFilesX64/PsfRunDll64.exe
.exe windows:6 windows x64 arch:x64

0e5c9a29fdcee2791341cd303678be64

Code Sign

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/03/2023, 18:43

Not After

14/03/2024, 18:43

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

cb:df:4d:bb:88:21:a0:92:0e:ed:70:53:11:a3:0f:3a:6c:39:80:c1:ce:0d:af:38:4e:b7:e3:f9:e3:b8:97:cd
Signer

Actual PE Digest

cb:df:4d:bb:88:21:a0:92:0e:ed:70:53:11:a3:0f:3a:6c:39:80:c1:ce:0d:af:38:4e:b7:e3:f9:e3:b8:97:cd

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\1\s\x64\Release\PsfRunDll64.pdb

Imports

kernel32

GetLastError
LoadLibraryA
GetProcAddress
WriteConsoleW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
EncodePointer
RaiseException
RtlPcToFileHeader
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
GetStringTypeW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
LCMapStringW
GetProcessHeap
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
SetFilePointerEx
CreateFileW
CloseHandle

Sections

.text
Size: 56KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
VFS/ProgramFilesX64/client2.7z
.7z
[Content_Types].old
.xml
[Content_Types].xml
.xml
config.json
fix.ps1
.ps1

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

Password: infected

Password: infected

7b63f97e8f0c360699c20e7c30842630

Code Sign

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4eCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

69:d0:13:a7:5c:5d:ae:aa:c3:29:0e:40:43:a3:04:13:6f:c5:dc:11:70:6e:61:98:2b:51:5d:b4:82:d0:23:0dSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

ole32

psfruntime32

Sections

.text Size: 207KB - Virtual size: 207KB

.rdata Size: 68KB - Virtual size: 67KB

.data Size: 5KB - Virtual size: 9KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 10KB - Virtual size: 10KB

Password: infected

8e9b7caff9376bbdc8b416a414b64656

Code Sign

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4eCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

2a:cd:2b:db:ff:a7:68:4f:c2:5f:f0:a2:a0:60:28:15:f6:47:23:6c:9f:05:81:18:52:9c:1e:da:d3:52:e0:28Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

ole32

psfruntime64

Sections

.text Size: 242KB - Virtual size: 242KB

.rdata Size: 94KB - Virtual size: 94KB

.data Size: 6KB - Virtual size: 13KB

.pdata Size: 12KB - Virtual size: 12KB

_RDATA Size: 512B - Virtual size: 244B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 3KB - Virtual size: 2KB

Password: infected

b1a931f51b30b56b60ecdb5d25bf3458

Code Sign

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4eCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

27:7e:36:6a:87:38:f0:2d:f9:50:ec:7d:2e:ce:46:5c:7b:f6:e0:42:cf:ba:4c:97:d2:a9:53:57:4a:67:a3:d7Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

Sections

.text Size: 51KB - Virtual size: 50KB

.rdata Size: 24KB - Virtual size: 23KB

.data Size: 2KB - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 480B

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

69:d0:13:a7:5c:5d:ae:aa:c3:29:0e:40:43:a3:04:13:6f:c5:dc:11:70:6e:61:98:2b:51:5d:b4:82:d0:23:0d
Signer

.text
Size: 207KB - Virtual size: 207KB

.rdata
Size: 68KB - Virtual size: 67KB

.data
Size: 5KB - Virtual size: 9KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 10KB - Virtual size: 10KB

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

2a:cd:2b:db:ff:a7:68:4f:c2:5f:f0:a2:a0:60:28:15:f6:47:23:6c:9f:05:81:18:52:9c:1e:da:d3:52:e0:28
Signer

.text
Size: 242KB - Virtual size: 242KB

.rdata
Size: 94KB - Virtual size: 94KB

.data
Size: 6KB - Virtual size: 13KB

.pdata
Size: 12KB - Virtual size: 12KB

_RDATA
Size: 512B - Virtual size: 244B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 3KB - Virtual size: 2KB

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

27:7e:36:6a:87:38:f0:2d:f9:50:ec:7d:2e:ce:46:5c:7b:f6:e0:42:cf:ba:4c:97:d2:a9:53:57:4a:67:a3:d7
Signer

.text
Size: 51KB - Virtual size: 50KB

.rdata
Size: 24KB - Virtual size: 23KB

.data
Size: 2KB - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 4KB - Virtual size: 3KB

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

cb:df:4d:bb:88:21:a0:92:0e:ed:70:53:11:a3:0f:3a:6c:39:80:c1:ce:0d:af:38:4e:b7:e3:f9:e3:b8:97:cd
Signer

.text
Size: 56KB - Virtual size: 56KB

.rdata
Size: 38KB - Virtual size: 37KB

.data
Size: 3KB - Virtual size: 7KB

.pdata
Size: 4KB - Virtual size: 4KB

_RDATA
Size: 512B - Virtual size: 252B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 1KB

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

89:87:ff:46:cb:36:89:89:f5:08:c5:c9:86:65:9d:76:b5:64:22:07:4f:0f:05:e1:8a:e4:9d:b7:ac:77:5f:e7
Signer

.text
Size: 254KB - Virtual size: 254KB

.rdata
Size: 77KB - Virtual size: 76KB

.data
Size: 6KB - Virtual size: 9KB

psf
Size: 512B - Virtual size: 16B

.detourc
Size: 4KB - Virtual size: 4KB

.detourd
Size: 512B - Virtual size: 12B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 13KB - Virtual size: 13KB

33:00:00:03:4e:b5:3c:7a:c1:84:6f:eb:2b:00:00:00:00:03:4e
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

d2:15:c1:18:dd:d2:e4:0f:e9:3c:98:fe:7d:bd:b3:e7:65:c6:9c:82:be:d6:03:16:20:98:4d:f6:56:3a:d1:f2
Signer